U.S. Senators Gary Peters (D-MI) and Rob Portman (R-OH), chairman and ranking member of the Homeland Security and Governmental Affairs Committee, introduced bipartisan legislation to help protect federal infrastructure systems and critical by strengthening the security of open source software. The legislation comes after a hearing called by Peters and Portman on the Log4j incident earlier this year, and would ask the Cybersecurity and Infrastructure Security Agency (CISA) to help ensure that open source software is used securely by the federal government, critical infrastructure and others. A vulnerability discovered in Log4j – which is widely used open source code – has affected millions of computers worldwide, including critical infrastructure and federal systems. This has led top cybersecurity experts to call it one of the most severe and widespread cybersecurity vulnerabilities ever seen.
“Open source software is the foundation of the digital world and the Log4j vulnerability has demonstrated how much we depend on it. This incident presented a serious threat to federal systems and critical infrastructure businesses – including banks, hospitals and utilities – that Americans rely on every day for essential services,” said Senator Peters. “This common-sense bipartisan legislation will help secure open-source software and further strengthen our cybersecurity defenses against cybercriminals and foreign adversaries who launch relentless attacks on networks across the country.”
“As we saw with the log4shell vulnerability, the computers, phones and websites we use every day contain open source software that is vulnerable to cyberattacks,” Senator Portman said. “The bipartisan Securing Open Source Software Act will ensure that the US government anticipates and mitigates security vulnerabilities in open source software to protect Americans’ most sensitive data.”
“This important legislation will, for the first time ever, codify open source software as public infrastructure,” said Trey Herr, director, Cyber Statecraft Initiative, Scowcroft Center for Strategy and Security, Atlantic Council. “If signed into law, it will be a historic step for broader federal support for the health and safety of open source software. I am encouraged by the leadership of Senators Peters and Portman on this issue.
The overwhelming majority of computers in the world rely on open source code – freely available code that anyone can contribute, develop, and use to build websites, apps, and more. It is maintained by a community of individuals and organizations. The federal government, one of the largest users of free software in the world, must be able to manage its own risks and also help support the security of free software in the private sector and the rest of the public sector.
The Free Software Securing Act would ask CISA to develop a risk framework to assess how open source code is used by the federal government. CISA would also assess how the same framework could be voluntarily used by critical infrastructure owners and operators. This could identify ways to mitigate risk in systems that use open source software. The legislation also requires CISA to hire professionals experienced in developing open source software to ensure that the government and community work together and are prepared to deal with incidents such as the Log4j vulnerability. Additionally, the legislation requires the Office of Management and Budget (OMB) to provide guidance to federal agencies on the secure use of open source software and to create a software security subcommittee within the Cybersecurity Advisory Board. of the CISA.